Microsoft will allow consumers to log in to their Microsoft accounts without a password, the company announced.
In March 2021, Microsoft announced that commercial customers could use passwordless authentication to log into their accounts through Azure Active Directory. More than 200 million users adopted the authentication method.
Starting today, Microsoft announced that you could remove the password from your Microsoft accounts and log in through the Microsoft Authenticator App, Windows Hello, a security key, or a verification code sent to a phone or email.
Microsoft Corporate Vice President Liat Ben-Zur said passwordless login would help protect Microsoft accounts from identity attacks like phishing.
All Microsoft accounts now support passwordless login
Microsoft’s journey towards a passwordless future began in 2018 with the rollout of security keys and continued in 2019 when Windows 10 became passwordless.
All Microsoft accounts now support passwordless security, according to Microsoft Security, Compliance & Identity Corporate Vice President Vasu Jakkal.
Users can use this security feature to access various apps and services including Microsoft 365, Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, Microsoft Edge, and others.
Losing a password can cause customers to stop using a service
While rolling out passwordless sign-in on Microsoft accounts, the tech giant painted a grim picture of using passwords to protect accounts.
Microsoft says that the pain of losing a password was enough to cause customers to stop using a service. According to Microsoft research, a third of customers would rather stop using a service than deal with a lost password. This situation causes businesses to suffer financially when they lose customers because of lost passwords.
To avoid this painful experience, most users create simple and memorable passwords that they can remember without requiring a password manager.
“Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess,” Jakkal wrote.
For example, Microsoft found that 15% of people used their pet names to generate passwords. Others use family names and important dates. Similarly, 10% reused passwords across sites, while 40% use a predictable formula.
“Security has always been a balance of ease of use and security,” noted Tyler Shields, CMO at JupiterOne. “The cyber security vendor community must drive towards creating easy-to-use cyber security experiences that deliver an acceptable level of security to the technologies that the consumers demand.
“A good example of this is the move to single sign-on and passwordless authentication. Users have failed to maintain proper passwords for decades, which will never change, so innovation must build an easy-to-use alternative that provides appropriate security with a much better user experience. Enterprises have to find the right balance of technology innovation alongside security for traditional models.”
18 billion password attacks every year
Jakkal disclosed that Microsoft recorded 18 billion password attacks on Microsoft accounts every year, averaging 579 attacks per second.
Consequently, Redmond advises its users to enable passwordless login on their Microsoft accounts. Users can enable passwordless authentication on their Microsoft accounts by installing the Microsoft Authentication App and visiting account.microsoft.com to turn on the “passwordless account” on advanced security options > additional security section.
However, Microsoft does not compel users to use passwordless authentication on all their Microsoft accounts. The tech giant allows them to restore password login on their Microsoft accounts through the same process.
Tech giants pursing passwordless future
Microsoft is hardly the only tech giant pursuing a passwordless future. Google allows users to log into chrome without a password while Apple announced the iCloud Keychain, a safer password alternative on Apple’s ecosystem.
Although passwordless authentication is recommended, account recovery is usually a painful process after losing the phone. Additionally, the use of email or SMS for passwordless authentication introduces an attack vector that could be used to compromise accounts.
“Passwordless is sometimes a misleading term,” says Joseph Carson, Chief Security Scientist and Advisory CISO at ThycoticCentrify. “In reality, it is all about less password interactions and helping move passwords in the background, reducing both password pain and cyber fatigue. Authentication is still happening, however, it is becoming more contextual.”
Carson added that a true passwordless world does not exist and the term was synonymous with less password interaction.